Quiz: Emerging Threats

A 26-question self-check covering threat evolution, ransomware's business model, next-generation supply chain attacks, deepfakes, and post-quantum cryptography. Questions tagged [Sec+] map to CompTIA Security+ domains and [CISSP] to (ISC)² CISSP domains, so certification candidates can self-assess. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] The business model in which a core group develops ransomware and rents it to affiliates who carry out attacks is called: A. malware-as-a-service generally B. ransomware-as-a-service (RaaS) C. an initial access broker D. a data-leak site

2. [Sec+] A criminal who specializes in breaking into organizations and selling that access to other attackers, rather than exploiting it themselves, is a(n): A. ransomware operator B. affiliate C. initial access broker D. red teamer

3. Double extortion adds which threat to classic file-encrypting ransomware? A. a denial-of-service attack B. exfiltrating data first and threatening to publish it C. harassing the victim's customers D. demanding payment in a new cryptocurrency

4. [Sec+] Abusing legitimate built-in tools such as PowerShell and WMI to avoid dropping detectable malware is called: A. zero-day exploitation B. living-off-the-land C. typosquatting D. dependency confusion

5. Which quantum-relevant algorithm threatens RSA and ECC specifically? A. Grover's algorithm B. Shor's algorithm C. AES in counter mode D. the Diffie-Hellman exchange

6. [CISSP] A large quantum computer would most threaten which kind of cryptography? A. symmetric encryption like AES-256 B. cryptographic hash functions like SHA-256 C. asymmetric (public-key) algorithms like RSA and ECC D. password hashing like Argon2

7. Harvest-now-decrypt-later means an adversary: A. decrypts data faster using GPUs B. stores your encrypted data now to decrypt it after quantum computers exist C. harvests credentials from memory D. delays a ransomware payment to negotiate

8. [Sec+] Publishing a malicious package with a name one keystroke from a popular one (e.g., reqeusts for requests) is: A. dependency confusion B. typosquatting C. a build-pipeline compromise D. a leak site

9. Which property lets a system swap cryptographic algorithms by configuration rather than by rebuilding? A. forward secrecy B. crypto-agility C. non-repudiation D. key escrow

10. [CISSP] The single highest-value control against ransomware availability impact is: A. antivirus signatures B. immutable, offline, tested backups C. a faster firewall D. longer passwords

11. Against a visually flawless deepfake CFO on a video call requesting a wire transfer, the most durable control is: A. deepfake-detection software that spots artifacts B. an out-of-band callback to the CFO's known number C. a better video codec D. asking the caller to repeat the request

12. [Sec+] A software bill of materials (SBOM) is most directly valuable when: A. negotiating a vendor contract B. a critical flaw is announced in a nested open-source component C. encrypting data at rest D. training staff on phishing

13. The SolarWinds-pattern supply chain attack is hard to detect at installation because: A. the update is unsigned B. the malicious code ships inside a legitimately signed vendor update C. it uses a typosquatted name D. it triggers antivirus immediately

14. [Sec+] NIST's 2024 post-quantum standards include a key-encapsulation mechanism and digital signature schemes. The key-encapsulation standard (ML-KEM) is: A. FIPS 197 B. FIPS 203 C. SP 800-53 D. RFC 8446

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

15. "An organization with excellent, tested immutable backups is fully protected against modern double-extortion ransomware."

16. [Sec+] "Because large quantum computers don't exist yet, post-quantum migration can safely wait until they do."

17. "Symmetric algorithms like AES-256 must be abandoned entirely once quantum computers arrive."

18. "Training staff to recognize deepfakes by visual glitches is a durable long-term defense."

19. [CISSP] "A digitally signed software update from a trusted vendor cannot be a supply chain attack vector."

Section 3 — Fill in the blank (1 pt each)

20. The three forces driving threat evolution are commoditization, __, and adaptation to defenses.

21. Extortion that, beyond encrypting and exfiltrating, also directly threatens the victim's customers or adds a DoS attack is called __ extortion.

22. [Sec+] A structured, continuous practice of monitoring emerging threats so an organization anticipates rather than reacts is called _ _.

23. Quantum exposure of a system depends on the algorithm type and on how long the __ must stay confidential.

Section 4 — Short answer (2 pts each)

24. [CISSP] Explain why "the best time to catch ransomware is before the ransom note," referencing the typical sequence of a modern intrusion and naming one thing you would hunt for during the quiet phase.

25. A defender is prioritizing a post-quantum migration. Two systems both use RSA-2048: one protects a ten-minute payment session, the other a twenty-year records archive. Which is more quantum-exposed and why? What does this teach about prioritization?

26. [Sec+] Name two procedural controls (not detection technology) that defeat deepfake-enabled executive-impersonation fraud even if the synthetic audio/video is perfect, and explain why each works.

Answer Key

Click to reveal answers and explanations 1. **B** — RaaS rents the platform to affiliates. 2. **C** — an initial access broker sells footholds. 3. **B** — double extortion exfiltrates first, then threatens publication. 4. **B** — living-off-the-land abuses legitimate tools. 5. **B** — Shor's algorithm breaks RSA/ECC. 6. **C** — asymmetric public-key is the crisis; symmetric/hash are minimally affected. 7. **B** — capture now, decrypt after quantum arrives. 8. **B** — typosquatting. 9. **B** — crypto-agility. 10. **B** — immutable, offline, tested backups (for the availability impact). 11. **B** — out-of-band callback to a known channel; artifact detection is a losing arms race. 12. **B** — an SBOM lets you query exposure to a nested component in minutes. 13. **B** — it ships inside a legitimately signed vendor update, so signature checks pass. 14. **B** — ML-KEM is FIPS 203 (FIPS 204 ML-DSA and FIPS 205 SLH-DSA are the signature standards; FIPS 197 is AES; RFC 8446 is TLS 1.3). 15. **F** — backups restore *availability*, but double extortion already exfiltrated the data, so the *confidentiality* breach and threat to publish remain. 16. **F** — harvest-now-decrypt-later means long-lived data must be protected today; waiting exposes it retroactively. 17. **F** — AES-256 is only weakened (Grover's), and doubling key size (256-bit) keeps it strong; it is not abandoned. 18. **F** — as generation improves, glitches vanish; durable defense is process/out-of-band verification. 19. **F** — the SolarWinds pattern inserts malicious code into a legitimate build *before* signing, so a trusted signed update can absolutely be the vector. 20. specialization. 21. triple. 22. horizon scanning. 23. data. 24. A modern intrusion runs access → quiet dwell (lateral movement, privilege escalation, exfiltration) → detonation; the encryption is the loud finale of a long quiet phase, so detection during dwell catches it before the ransom note. Hunt anomalous living-off-the-land activity (unusual PowerShell/WMI), new admin accounts, internal scanning, or large unusual egress. 25. The twenty-year archive is far more quantum-exposed: harvest-now-decrypt-later means its long confidentiality lifetime overlaps the expected arrival of quantum computers, while the ten-minute session secret is worthless before any quantum computer could break it — so prioritize by quantum *exposure* (algorithm type × data lifetime), not by algorithm alone. 26. Any two: an out-of-band callback to a pre-established known channel (defeats a fake on the current channel); a pre-shared verification phrase the real party knows (the fake was not trained on it); phishing-resistant step-up authentication via a hardware key (a cloned face/voice cannot satisfy it); a policy that no urgency skips verification (removes the lever the attack depends on). **Topics to review by question:** 1–4, 20–21, 24 → §35.1–35.2; 12–13, 26(supply) → §35.3; 11, 18, 26 → §35.4; 5–7, 9–10(quantum), 14, 16–17, 23, 25 → §35.5; 22 → §35.6; 15 → §35.2 (CIA triad); 19 → §35.3.